• No results found

Vulnerability Assessment Report Format Data Model

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Vulnerability Assessment Report Format Data Model"

Copied!
23
0
0

Loading.... (view fulltext now)

Download now ( 23 Page )

Full text

(1)

Vulnerability Assessment Report Format

Data Model

Dr.D.Polemi G.Valvis I3E'2005

(2)

Issues

Attack paradigm

Vulnerability exploit life cycle

Vulnerability assessment process

Challenges in vulnerability assessment process

VARF data model

Vulnerability diagram

(3)

Attack Paradigm

 Information gathering

 Determination of the characteristics of the target network such as network topology, host OS type, listening services

 Exploitation

 Compromise of a vulnerable host on the target network

 Metastasis

 Consolidation

– Remove any evidence of the exploitation phase, and to ensure that remote access is available to the attacker

 Continuation

– Utilize ‘passive’ as well as ‘active’ attack methods to deepen the penetration Victim IP Address 1 IP Address 2 IP Address 3 IP Address 4 1.Re con naissan ce 2.E xploitation 3.Conso lidation 4.Co ntin uatio n

(4)

Advanced Intruders Discover New Vulnerability Crude Exploit Tools Distributed Novice Intruders Use Crude Exploit Tools Automated Scanning/Exploit Tools Developed Widespread Use of Automated Scanning/Exploit Tools Intruders Begin Using New Types of Exploits

Vulnerability Exploit Cycle

(5)

The vulnerability assessment process

A.I.D.A.

 Attention: Do we pay attention to our weak points ?

 We find them by scanning our assets

– Use vulnerability assessment tools for efficiency

– In large networks different tools are deployed for more complete coverage

 Interest: How do we focus on the most interesting issues ?

 Analysis and prioritization

– A large number of vulnerabilities are of low risk or irrelevant to the specific environment

– Critical vulnerabilities need to be dealt with priority

 Decision: Remediation planning

(6)

Challenges in vulnerability assessment process

 For a complex IT environment most of the analysis work must be done by human

 Generate large volume of data

 Different vulnerability assessment tools provide heterogeneous output

 Effective communication between existing tools suffers by a lack of common ground

(7)

Scanning

Vulnerabilities (100%)

Analysis and Priotisation

Critical Vulnerabilities (< 2%)

Remediation Actions (0.5%)

Remediation Planning Manual

Analysis Manual Analysis Automation opportunity Time to Remediation w eeks/months

Large window of exposure: Decreased security level

Multiple Hosts

(8)

 The focus of the models is to facilitate the analysis and prioritization stage  This model is based on a comparison of:

 Latest versions of Nessus XML reports and SARA™ and

 The latest Intrusion Detection Message Exchange Format (IDMEF) and

Incident Object Description and Exchange Format (IODEF) drafts

 There was effort to reuse IDMEF elements

 Either directly or by sub-classing them to add functionality 

The Vulnerability XML report is structured in order to

extract the asset information and

group the associated vulnerabilities

 The two main elements provided are the ScanAlert and Report

(9)

Vulnerability report model (cont.)

# Asset information * Vulnerability information Report ScanInformation $ Summary # Results Target # Node Date Services Vulnerabilities * Name Number Protocol $ Tool information Service # Tool {name,version} Scanner Date ScanAlert ScanInformation $ TargetInformation # TargetInformation # Node VulnerabilityReport Summary # Alert to IDS OS

(10)

* Vulnerability information Vulnerabilities Vulnerability * Data Name Category Summary Category of Attack: Information, Remote Access,… Assessment Classification {origin} Name URL Family Severity Risk Security Note/ Warning/Hole Risk factor (High,…)

‘Family’ of services affected

(11)

<ScanAlert> Class

<ScanAlert >

 It is modeled on the IODEF IncidentAlert  Provides a different type of functionality

 The IncidentAlert is used to simply alert someone/something to the occurrence

of an incident and provide relevant information (such as raw IDMEF messages)

 ScanAlert alerts an intrusion detection management system or other management

system that a scan is going to be performed

 As part of this alert, the scanner would provide ScanInformation and

(12)

<ScanAlert> Class (cont.)

<ScanInformation>

 It encapsulates information such as

 the tool that is performing the scan, version of the tool

 Information about the node that is being used to launch the scan,  Time information for documenting scan and a general description

<TargetInformation>

 This element documents the targets of the scan and contain the

following items:

(13)

Major <Report> classes

<Results>

 This element is meant to take the place of Nessus Results and SARA Details  It is closely tied to the IODEF Attack class, which in turn shares structure with

IDMEF Alerts

<Target>

 Use of the IDMEF/IODEF Target class to achieve a standard format for representing the ‘host’ specific information

 It includes

 the <Node> class which contains address and name elements  <OS> element (type of operating system), <date> element

<Service>

 This class generically describes network services  A network service is defined by name and port

 It includes the <vulnerabilities> class, since one service may have multiple vulnerabilities

(14)

<Vulnerability> Class

<Vulnerability>

 This class describes vulnerability by  Name

 Family of services affected (e.g. FTP)

 Category of attack (e.g. Information, Access, etc.)

 It includes the <Classification> and <Assessment> classes and additional data

<Classification>

 Allows the manager who receives the Report messages to be able to obtain additional information

 Origin (CVE, Bugtruq) of the source, name and URL are included

<Assessment>

 It provides information related to the scanner’s assessment of the vulnerability  Includes the elements <Risk> and <Severity>

(15)

XSL transformations

 Generate VARF XML

 HTML presentation

 Creation of vulnerability diagram: visual representation of association between assets and vulnerabilities

(16)

XSL Generate transformations

Scanning report: Nessus v2.x XML Network Vulnerability assessment tool

(

(

(

(

(

(

(

(

(

(

Nessus Server (nessusd)

(

(

Nessus client Parser VARF XML XSL: Nessus v2 -> VARF

(17)

HTML presentation

(18)

VARF XML

Parser

VARF-HTML

XSL: VARF XML -> VARF HTML

(19)

Vulnerability Diagram

XML represents data in tree

Hard for human to understand

Lessen the burden by visualization

Complete vulnerability diagrams

Shows all discovered vulnerabilities, but structures are very large

Hard to scale

Reduced vulnerability diagrams

 Cut sets of vulnerabilities

 Which services, if suspended, leave the network secure?

Results inform administrator which services are, perhaps, too

costly.

Vulnerability diagram can be a subset of attack tree

(20)

VARF XML

Parser XSLT: VARF XML to

Diagram Dot

(Dot: Graphviz tool compliant format)

Vulnerability Diagram Graphviz

Dot file

(21)

Vulnerability diagram (concept)

Vulnerability (1) Target(1) IP address Service (1) Service (1)

Target(N) Vulnerability (m) Vulnerability (1) Vulnerability (n) Service (i) Service (n) IP address

Risk factor CVE ID

Risk factor CVE ID

(22)
(23)

In order to reduce the window of exposure, the security

personnel need a way to set priorities and reduce the

volume of vulnerability reports down to the few critical

risks that matters.

Due to proprietary nature of the reports and lack of

standardization, this process is burdensome.

Standards based format to report vulnerabilities would

allow easier analysis and sharing of information with other

data sets from a variety of compliant tools and systems.

VARF was motivated from the above and was based on

existing standardization efforts.

Vulnerability diagrams visualize the vulnerability

management effort.

References

Download now ( PDF - 23 Page - 528.62 KB )

Related documents

Advanced modelling of runoff and soil redistribution for agricultural systems: the SERT model

to predict monthly rates of runoff depth, soil erosion in rill and interrill areas and sediment 123.. redistribution in small and medium size

ORGANISATION OF CONSULTANCY SERVICES

A well-conceived internal organisation design is absolutely necessary for achieving organisational objectives and delivering quality services to clients. Against this backdrop

Gurps Vehicle Col

The front passenger operates a pair of light or medium machine guns (usually the Saco M60, GURPS High-Tech pp. 134, 137) while the gunner at the rear of the vehicle uses

7 AVO Cross Plot

model of the previous slide, where the slide on the left shows an intercept x gradient product (A*B) and the slide on the right shows a weighted sum of the intercept and

Implication of IRC 112_2011 on Rcc Bridge Design

Indian Road Congress is the latest committee to publish a code on basis of Limit State Design Philosophy (IRC-112:2011). Owing to wide scope of subject and limitation of content

Warehouse Management Transaction Codes

LI06 - Block Storage types for annual invent.. LQ01 - Transfer Posting

Alan Thrall - Basic Program

I also wanted this program to have just the right amount of volume  and  intensity. Some beginner  ​

Fire Risk Assessment Of Terminal LPG Semarang

The process are involving performing Hazard and Operability (HAZOP) based on Terminal System P&amp;ID, Frequency analysis such as Fault Tree Analysis and Event Tree Analysis, and